[openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)

Sean Dague sean at dague.net
Mon Jan 4 13:21:35 UTC 2016


On 12/30/2015 03:23 PM, Farr, Kaitlin M. wrote:
> All,
> 
> Please reply or send me an email if you are using the ConfKeyManager
> (fixed-key key manager) in deployment for volume encryption or
> ephemeral storage encryption. You can check this by looking at the
> [keymgr] section, api_class entry of nova.conf or cinder.conf. The
> ConfKeyManager was only intended for testing and I am working on
> deprecating it. I would like to gauge the number of people using
> that backend, because it may affect the deprecation strategy.
> 
> This is the start of the effort to replace the duplicated key manager
> code with Castellan [1], a key manager interface library that allows
> the user to swap out different backends, such as Barbican. While
> Castellan is based on the key managers built into Nova and Cinder, it
> does not have the fixed-key backend. That backend is insecure. A single
> key is used for all volumes. If the key is compromised, all of the
> encrypted data is easily decrypted. See Joel Coffman's comments on the
> Nova spec [2]. Deprecating the fixed-key key manager would need to
> occur before Castellan is integrated.
> 
> Again, please let me know if you use the ConfKeyManager and you
> actively use the volume encryption and encrypted cinder volume features
> in a deployment
> 
> Other feedback is also welcome.
> 
> I am also creating a separate thread with this info on the operators
> mailing list.
> 
> Thanks,
> 
> Kaitlin Farr
> 
> 1. Castellan source code. https://github.com/openstack/castellan
> 2. Castellan integration Nova spec. https://review.openstack.org/#/c/247561/
> 3. Castellan integration Cinder spec. https://review.openstack.org/#/c/247577/

The fixed key manager is useful for easy testing (we're using it in the
gate in places where barbican isn't available). Is there anything
equivalent with Catellan?

	-Sean

-- 
Sean Dague
http://dague.net



More information about the OpenStack-dev mailing list